Wireshark is a Unix or Windows packet capture and analysis tool. Unlike tcpdump or tools such as RawCap, Wireshark is a GUI-based tool that has a number of features for not only packet capture, but also analysis. As a result, it may be difficult to deploy rapidly during an incident as the program has to be installed. Furthermore, the tool is only supported on the Windows and Mac operating systems. To install on a Linux system requires a bit more effort. The one distinct advantage that Wireshark has over the command-line options is that incident response analysts can perform a detailed inspection of the traffic as it is being captured.
Wireshark can be run on the system itself or run on a USB. Once installed, it has to be run as an administrator. The first step is to select an interface that Wireshark will capture on:
In the previous screenshot, the only interface that appears to be handling traffic is the Wi-Fi:en0 interface. Double-clicking on the interface will start a packet capture. As was stated before, unlike tcpdump or RawCap, the actual capture is output to the screen for immediate analysis:
To stop the capture, hit the red box in the upper left-hand corner of the pane. The file can then be saved for further analysis.
Another tool that is included with Wireshark that is useful during evidence acquisition is Mergecap. Mergecap is a command-line tool that allows incident response analysts to combine multiple packet capture files from Wireshark, tcpdump, or RawCap. This is extremely useful in situations where incident response analysts obtain packet captures from several sources, but want to check for traffic to a specific host. To access the menu for Mergecap, type the following into the command prompt:
~$ mergecap -help
That command produces the following help information:
To merge several packet capture files, the following command is used:
~$ mergecap -w switches.pcap switch1.pcap switch2.pcap switch3.pcap
By combining the output of three packet captures to one file, the incident response analyst has the ability to examine a wider range of activity across multiple network paths. If, for example, the analyst is searching for traffic coming from an unknown host to an external C2 server, they would be able to combine captures over the entire span of the network and then search for that particular IP rather than individually picking through each packet capture.